I recently bought a paid certificate but I decided to make this guide public in case anyone needs to set up and use the DNS method. This method takes advantage of leaked enterprise certificates and uses a DNS to block Apple’s servers to check the validity status of these certificates.
- Some apps may not work properly or at all (X app in my case didn’t let me login saying I was offline)
- Extensions mostly don’t work because some entitlements are missing in this type of certificates
- VPNs can only be used if set in a certain way
- Can be tricky to set up and keep it working.
- Notifications are working for some certificates (they need to have notifications entitlements, e.g. Tianjin Certificate does have it but Global Takeoff does not)
- Apps are properly installed
- Unlimited apps can be installed
- Apps don’t require to be refreshed
- Doesn’t require a PC/Mac to be set up and used.
I agree to say that Sidestore+LiveContainer is still the most convenient free method for sideloading at the moment; I’m not encouraging people to use one method over the other, this is not what this guide is intended for. My intention is to help people that for some reasons still prefer the DNS method, like for example, people who don’t have a PC/Mac or people who wants notifications working. There are downsides and limitations on both DNS method and Sidestore+LiveContainer and is up to users decide which one fits better to their needs.
As far as I could see there are not many step by step guides about this method so I hope this can be useful to anyone.
-
Open Safari and go to https://my.nextdns.io/
-
Create an account and login
-
Go to the Denylist tab
-
Add these domains:
vpp.itunes.apple.com
appattest.apple.com
certs.apple.com
crl.apple.com
valid.apple.com
ocsp.apple.com
ocsp2.apple.com
ppq.apple.com
This last domain ( ppq.apple.com) will need to be used wisely but we will get to it later
-
Go to the Setup tab, scroll down until you see Setup Guide and be sure that iOS is selected. Scroll down to Configuration Profile and click on the link apple.nextdns.io
-
It will prompt you to install a Profile, allow it
-
Go to the Settings app and click on the downloaded Profile, it’ll be called NextDNS (xxxxx). Enter your passcode and install it
-
Go to Settings>General>VPN & Management>DNS and select NextDNS (xxxxx)
Now that our DNS is set up we need to install Ksign or Esign using a leaked enterprise certificate:
-
Go to your NextDNS settings in Safari and under Denylist turn off ppq.apple.com
-
Open a new tab in Safari and go to https://khoindvn.io.vn
-
Scroll down until you see Ksign Bypass Revoke or Esign Bypass Revoke and click the first link from the top
-
If the app gets not installed properly delete it and try another link
-
If the app gets installed but says something like “The integrity could not be verified” try another link
-
If none of the links work you are likely blacklisted and the only way to fix that is to restore your device from iTunes/Finder or erase all content and settings from the device Settings app (you can backup it first, then restore the backup after the device got erased)
-
If the app gets installed and prompt you with something like ”Unable to verify app: An internet connection is required…” then proceed to the next step
-
Go to the Settings app then go to General>VPN & Management and click on the name of the certificate that got you the app installed and click on Trust “Name of The Certificate” and then Allow and Restart
-
Your device will restart and you will be prompted to enter your passcode to allow the Profile installation
-
Once the device is on, click on the Ksign/Esign app, if it opens go to the next step, if it doesn’t, go to Settings>General>VPN & Management, click on the certificate name and then to Verify app. Now Verify app will disappear and you should be able to open Ksign/Esign. If Verify app doesn’t disappear that cert will not work and you will have to go back to step 4 and repeat the process
-
Go back to NextDNS settings in Safari and turn back on ppq.apple.com then turn off your data/wifi for some seconds and then turn it on
At this point we have the DNS set up and Ksign/Esign installed. Let’s say that the hard part is over. Now we will have to add the certificate file to our Ksign/Esign app:
-
Open this link and save the .zip file somewhere in your Files app. Open the Files app to the directory you saved the .zip file and simply click on it to unzip it
-
If you have KSign open it and go to Settings>Certificates>Import KSign File and click on the + in the top right corner. If you have Esign open it and go to Settings>Import Resource. Go to the directory where you previously unzipped the .zip file and open the unzipped folder. There will be two folders inside: KsignCert and EsignCert. Open the folder that match with your installer (KSign/Esign) and select the certificate with the same name of the certificate that you previously trusted in the Settings app under General>VPN & Management. If you have Esign a prompt will pop up asking if you want to import certificate management, select Import
Now we can finally start to install apps through Ksign/Esign:
-
Download the .ipa file of the app you want to install
-
Open Ksign/Esign. On Ksign go to the Library tab and click on the + button in the top right corner then select Import from Files and select the .ipa file you downloaded. On Esign go to the File tab and click on the 3 points in the top right corner than click on Import and select the .ipa file you downloaded
-
Open Safari and go to the NextDNS settings (https://my.nextdns.io), go to the Denylist tab and turn off ppq.apple.com. Then turn off your data/wifi by toggle airplane on for some seconds, then re enable data/wifi by turning airplane mode off
-
Open Ksign/Esign. If you have Ksign locate the app you previously imported in the Library tab and select Sign and Install. If you have Esign go to Settings>Sign Default Config and toggle Install after signed on. Now go to the App tab, click on the app you imported and select Signature
-
At this point the signing and installation process will start, click on Install when prompted and go to the home screen. Wait for the app to be installed
-
When the app is installed go to Safari on the NextDNS settings in the Denylist tab and toggle ppq.apple.com on, then turn off your data/wifi for some seconds and then turn it on again
-
Go back to the home screen and open the app you just installed, it should open and be working. If for some reasons the app gets not installed (I don’t know the exact reason but it can happen) delete the app and Ksign/Esign, go back to section 2 and repeat the process with another link
IMPORTANT: Everytime you install an app ppq.apple.com must be toggled off in the NextDNS settings. In the same way when the app has been installed toggle it on again. Everytime you turn ppq.apple.com on data/wifi must be turned off for some seconds and then turned on again.
For the ones, like me, that prefers Feather over Ksign/Esign here’s how to install it and set it up:
-
Open this link, download the .zip file and save it somewhere in the Files app
-
Open Files app to the directory of the .zip file, simply click on it, it will unzip it (it’ll be called certificates)
-
Download Feather .ipa from the official GitHub and import it in Ksign/Esign and install it like you would install any other app
-
Open Feather and go to Settings>Certificates then click on the + in the top right corner
-
Select Import Certificate File and the file picker will open. Navigate to the certificates folder we previously unzipped, open it and open the folder called with the same name of your certificate. Select the .p12 file and import it. Repeat the same process for by clicking on the + in the top right corner and select Import Provisioning File, then select the .mobileprovision file. In the Password field enter the password which is WSF and click Save. Now the certificate is imported
-
To install apps go to the Library tab, click on the + in the top right corner then Import from Files. Import your app, sign it and install it. Always remember to turn off/on ppq.apple.com and data/wifi evertime you’re installing an app
- Go to the Whitelist section in your NextDNS settings in Safari and add these domains:
- register.appattest.apple.com
- app.localhost.direct
As long as you follow all the steps correctly you shouldn’t be revoked but keep in mind that this is a method that takes advantage of leaked enterprise certificates so can be unreliable. Check the certificate expiration date in Feather/Ksign/Esign; when you’ll be close (some days) to the expiration date you will have to find a new certificate.
Thanks to u/hmd_msrf_k_ who helped me to make this guide as correct as possible. Hope this guide will be helpful, keep it up and good sideloading.